Hello,

I don't have much experience with security and I was hopeing that someone will point me to the right direction.

I have notice that server was hacked and contects was put in the webserver folders - now I think the server is on "Sites serving malicious content"

how can I invistage? or where can I start to clean up this machine and find out how people get into the server?

any advise will be greately apprciatted

There is a Linux Security forum here on LQ. Hit the report button and ask to have your post moved there. You're probably going to be asked for a lot of information by some very well qualified people, and you're probably going to wind up having to completely rebuild your server (it is your server?). Good luck!

There is a well known problem where the Apache web server can be made to serve Windows viruses. Are you running the Apache web server software?

You may find answers faster if you use Google to search for information. I searched Google for "apache virus serving" and got some good links. A little imagination can result in other good search strings.

Yes, I am running apache on that server and serving cgi. I found the malicious content and removed it. but how to trace how someone got into the server and created those contents? and prevent that from happening again?

Thank you so much for your help.

How did you find out? What did you notice?


Removing files is a good way to stop serving them. However it does not stop people from uploading files again. To help you with that we need more information from you. Like if your system and application logs show any "weird errors" and what software you run on top of your webserver. Do you run a CMS or forum software? And what versions? Do you run FTP? Statistics software like awstats? Prevention we should talk about only after you have stabilized the current situation and know how to deal with the aftermath. For now please post a listing by running (adjust paths and output if necessary): '( /bin/ps -axfwwwe 2>&1; /usr/sbin/lsof -P -w -n 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/w -lf 2>&1; /usr/bin/last 2>&1 ) | tee /tmp/log' and shut down (and keep from restarting) any running webserver, database, ftp and other publicly accessable services you do not need for managing the server (basically you'll only need SSH to access it). Please post as much information as possible and check back regularly because we might want you to run more commands.



Awesome! Could you please share the details of that "well known problem"? I'm really curious as to what this would be then.

People search LQ to find help with their problems. They might join LQ if they require more help. Telling them then to "go Google" does not really help a user if s/he does not know what the problem is or what to look for, especially in cases like these.

It was surprisingly difficult to find any reference to this, especially since it was discovered only a few months ago. Nevertheless here is one reference:
http://www.secureworks.com/research/.../linuxservers/

I'm sure that I originally read about it elsewhere.

Having just done the Google search for this issue I can say that useful information was not as easy to find as I had expected. This was a big brouhaha just five months ago.

I understand your point but in some cases a question poster would find more information faster by using a web search site than by waiting for an answer here. I just reread the LQ rules. This isn't mentioned. I thought that it was.

http://www.linuxquestions.org/linux/rules.html

I think that there is a balance between providing information on request and asking someone to be a little bit self sufficient. Maybe I'm wrong.

Thanks for following up. The link you posted points to the "Random JS rootkit". Addressing your "well-known problem where the Apache web server" comment this does not expose a flaw in Apache, meaning the references point to "traditional" avenues of attack and mitre.org doesn't show any CVE's that appear to be related. (For reference, in discovery > disclosure > protection order: The Register, Slashdot, linux.com, SANS ISC, Trendmicro, Finjan, servertune.com, servertune.com, SANS ISC, SANS ISC)



You're not wrong about there being a balance. Speaking in general terms even when faced with overly broad questions we should take the time to point out how to ask questions or where to find documentation. Those that posess more than new user level knowledge must realise that for people getting to the point where they truly are self-sufficient requires time, effort and dedication. As goes for all of us even then there will be areas of expertise where help, guidance or a second opinion is appreciated. More than that it is LQ's primary goal to serve as a quality knowledge base. That means that with each unresolved question we have the opportunity to "write documentation" as it were that helps this LQ member now but will also help other GNU/Linux users later on. And when combined with a structured approach to troubleshooting, the educational "added value" will serve as a good example of how to foster self-sufficiency. Still speaking in general terms for some this could mean dropping the "get first reply in" attitude altogether, for others doing (more) research before they post and for others not dismissing a thread having one or more replies as "solved". Me writing this does absolutely not exclude me from not seeing the same pitfalls at times...